-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to make it work in Kubernetes #21
Comments
Oh, now that's a weird error message. It's likely coming from when these lines run: docker-pgautoupgrade/docker-entrypoint.sh Lines 491 to 494 in 430eb92
Any idea why it would be unable to look up the effective uid in your environment? |
I think that is caused by the chart setting the security context similar to this. securityContext:
runAsUser: 1001 but the container does not have a user with uid 1001. when you do a Dockerfile like this FROM pgautoupgrade/pgautoupgrade:16-alpine
RUN adduser -u 1001 -G root -s /bin/sh -D pgautoupgrade and build it, it works fine You will then hit postgresql.conf not being present, bcs bitnami generates it on the startup into |
Any idea if there's something (preferably simple) we can change with our images to get it working? Hmmm, I wonder if changing the (note that I've just woken up and haven't had coffee yet, so that could be an obviously bad idea in 10 mins... 😉) |
Not sure yet, I gave up on it(due to the missing configs, and just went with a pg_dump) I wonder if you just add a user with uid 1001 if it will impact something else? from my testing so far(you don't have to do bitnami themselfs don't add the user, but instead just set |
Couldn't you just add a values.yaml for the chart with: securityContext:
runAsUser: 0 using helm I think the container entrypoint needs to run as root here, but I don't see much of a security concern running a small upgrade script as root in the cluster as one time only. Probably best to use I could update this wiki guide https://github.com/pgautoupgrade/docker-pgautoupgrade/wiki/Automating-The-Upgrade for a sample of using a Kubernetes initContainer at some point, if useful 😃 |
I also tried to get a initcontainer going to update bitnami postgresql charts automatically, and reached the same blocker with the missing postgresql.conf (there's an empty postgresql.auto.conf though) and pg_hba.conf Permissions issues are no big deal, worst case after running the migration with root it can chown the files again. Lacking the configs, however, is very annoying to workaround. Please share your ideas if you have any! Posting here my current non-working config for reference (see later comment)
|
I fixed the missing files problem by copying them as a postStart to the main container. It needs to run at least once before any migrations, but it's good enough. I am encountering another issue now where it cannot connect to the database after copying it to
|
@p4block We could look at adding Bitnami compatibility if doing so seems to be reasonably straight forward. For your install, where's the location of the missing files that you needed to copy? It is just the two files from Are there any soft links between files in that directory and the PostgreSQL data directory? As a data point, if you need to change the directory that PostgreSQL looks for its data files in, then the In the output you've pasted above, you have this as the final lines:
That |
@justinclift I worked around the problem by adding a hook to the bitnami container that copies them to the postgres data dir, but that's a hack imo I don't think they are truly needed, maybe an option to use some pgautoupgrade-shipped ones on the spot is enough.
As for the error log, sadly I can't see anything aside from a shutdown request.
This is the part that makes no sense to me, why would the script break here this way?
|
Ahhh. I think that error:
...lines up with the
It looks like they're supplying a Instead of copying over the one they provide, I'd probably try one with
If that turns out to work, is the Am thinking we could do something like this:
That would let us potentially automatically use the above |
Hmmm, thinking about that a bit more, we could just check if the That might only make sense for 'one shot' mode too, as we probably don't want to try running PG itself afterwards without the user supplied version of those files (which could potentially be very customised). |
The init container has a different filesystem than the main one, aside from the shared postgres folder. It would need to be told to ship default files. I saw a way to detect a high likelihood the postgres data folder being used in a bitnami container before.
When I changed auth to local (oops, didn't see before) I get a different error Coincidentally, the root user for this postgres instance is a "closed the cell and threw the keys to the river" situation. I've had the upgrade before using user accounts in docker, maybe it's something else entirely related to which user is being active at that moment in the script. I tried with the postgres docker image's pg_hba.conf with the same result, here for reference.
Now that I think of it, needing a database superuser account to perform the upgrade makes sense (although it's hella annoying for my usecase), and the postgres container makes the POSTGRES_USER account a superuser 🤔 So yeah, this part is PEBKAC. I am supplying a regular user to pgautoupgrade. I will find a way to reset the root password. I now wonder if the pgautoupgrade process even needs credentials at all, as it could just modify pghba to let itself in and do the upgrade. Thanks for your help, awesome project |
Yup. Got it to work. Using the stock postgres container I reset the password for the
This should work if you also manually put the permissive pg_hba.conf and bitnami's stock postgresql.conf in the postgres folder. Shipping some example postgresql.conf and pg_hba.conf, and maybe even ignoring existing auth patterns altogether and jamming the upgrade process (maybe optional) would be a nice feature I wouldn't complain about 😄 |
Nice work @p4block ! Looks like great info to make a wiki article from 😁 (although as you say, perhaps in the future pgautoupgrade could bypass auth / superuser requirement during the upgrade, making the process easier) |
Cool. Yeah, it sounds like with a bit of patience and testing stuff we should be able to automate this. Hopefully you're up for a bit of back-and-forth communication and experimentation @p4block? On that note, with the |
@p4block Oh, on a related topic does your database use any PG extensions? ie stuff loaded using We don't have the updating of those automated yet (there's the beginnings of a PR for it), so if you do you'll still need to manually check if they need updating. @spwoodcock Which reminds me, it's probably not a bad idea for us to have some kind of "things you should still do post-upgrade" wiki page, until the extension upgrading is automated too. Any interest in throwing something like that together? |
@justinclift rg is grep in rust, I just tried to look for signs of bitnami I can more or less go back and forth these days, I am very interested in getting this project more developed. I do have one postgres that uses extensions (the one for Immich) and it uses bitnami chart but with pgvecto-rs container. I haven't tackled it yet. |
Thought I could spare myself the frenzy of reproducing the configuration outside by temporarily replacing the bitnami postgresql image in my cluster by this one.
But getting this error:
postgres: could not look up effective user ID 1001: user does not exist
The text was updated successfully, but these errors were encountered: